Hi! Sorry, I'm a little confused with the whole process of making a PR with a fixed issue for a third-party module which was fixed without the involvement of the Node.js triage team.
In particular, I'm unsure how to populate the JSON file. For example, how do I select an id field that doesn't conflict with those of other researchers; and what should go in a slug (just a unique, descriptive string?)
Sorry for the questions, perhaps I missed something in the READMEs.
Hi @joker314, great to see you jump in! :)
Did you visit the actual document related to this on the processes/ dir?
Let us know if there are other things that need better clarifications.
Hi @lirantal,
Thank you for your response! I did take a look at the processes directory, but only saw one pertinent piece of information about vulnerabilities that were fixed external to the triage team-- though it's quite possible I missed something.
I have another question about the JSON... are the created_at and updated_at fields about when the module was created, when the fix was created, when the report to the vendor came in, or when the JSON file was being constructed? 馃檪
The time should be set for when the vulnerability is/was disclosed.
With most of the work coming through Hacker1 we disclose the vulnerability and PR the JSON file to the repo's db on same time so they are mostly synced in that way.
Hmm okay, hopefully I did this right. I've opened #142, and if I did it wrong, discussion can continue there. For that reason, I'm closing this issue. :tada: